The popularity of the iPhone, iPad and Android devices presents Exchange administrators with several logistical challenges. These consumer devices are portable and easy to use, and employees expect to use them to access enterprise systems and email from anywhere.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

In bring your own device (BYOD) and bring your own PC (BYOPC) programs, the line between personal and corporate devices blurs. Both include features such as corporate mail access via ActiveSync, scheduling and secure access. Admins now have to watch more types of client connections to the IT infrastructure.

Complicating this is the fact that many of the people pushing the hardest for that access are at the executive level. They want their new gadgets configured to access business resources, and it is especially hard to say “No” to them.

Consider the following common factors when mixing personal devices with your corporate email infrastructure:

Data leakage/theft:Personal devices are just that -- personal. They are rarely encrypted and, particularly in the case of smartphones, go everywhere with their owners. Since they are typically used with home PCs and random Wi-Fi access points, mobile devices are open to all kinds of attacks. These devices are also easily lost or stolen.

If a particular device is connected to corporate email, it likely stores sensitive data. This, in turn, will be accessible to anyone who has access to the handset, including a thief if that device is stolen.

Ecosystem control: The enterprise doesn’t own endpoint hardware in BYOD, which can make it difficult to apply ActiveSync mailbox policies to such devices. It can be very hard to persuade users to disable certain aspects of a beloved technology that they own. You may want to apply a central policy developed for work, such as disabling removable storage.

Even if you already apply support and security policies to company-owned devices via ActiveSync, you’ll have to work to gain acceptance to apply the same policies to BYOD devices. In addition, IT must set boundaries and specify how far it will support personal devices.

Proliferation: As “smart device” user interfaces and products like Exchange Server 2010 have matured, it has become much easier for end users to configure device settings and connect to corporate resources like email without IT intervention.

Most modern smartphones that have licensed ActiveSync allow users to set up an Exchange mailbox simply by providing an email address.

Since the company doesn’t procure devices under BYOD, it’s easy to deviate from support and security standards.

Support: If a user wishes to connect a personal device to company mail and things either don’t work or stop working, who is responsible for fixing the problem? The employee might expect the IT department to handle it; IT staff might look at things differently, since that device is not issued by the company.

These issues can be considered “policy” decisions rather than technical issues specific to Exchange, but Exchange administrators should be aware of them so they can make plans to mitigate them within the organization’s email environment.

Addressing BYOD problems: Organizational policies

For example, your organization may have a policy stating that no data should be removed from the company on unauthorized USB memory sticks. That said, if you allow BYOD devices to sync email with attachments, data is in effect being removed on non-company equipment.

Furthermore, if you have a policy requiring devices that connect to the network to be configured with relevant restrictions -- say, password complexity, certain applications disabled and Wi-Fi disabled -- you will need to apply it to personal devices.

Users may not initially agree to mobile policies that already apply to company-owned devices. By making an exception for BYOD, however, you may be riding roughshod over existing standards and increasing the risk of enterprise data being compromised.

Organizations should consider modifying their policies so employees understand that if they connect personal devices to the corporate infrastructure, they will be held to the same standards as they are with corporate devices.

Consider what can happen if a BYOD device with company email gets lost. Your organization may have an agreement with the user to “remote wipe” the device. This will result in the deletion of personal texts, photos, video, etc., as well as company data.

If you say that personal mobile devices aren’t subject to that agreement, are you overstepping your legal data-protection limits?

To gain business intelligence about your remote device estate so that you know who and what is connecting, I recommend a few more PowerShell commands:

Parsing IIS Logs for ActiveSync device and user information: Use the cmdlet below to grab all of the ActiveSync data from the Internet Information Services (IIS) logs on your client access servers.

In essence, you can pass the directory that contains the IIS access logs to the Export-ActiveSyncLog cmdlet, which will parse all relevant information into a set of .csv files. These files are saved to the location that you specify in the –OutputPath parameter:

Getting ActiveSync device statistics for a specific user: If you want to get statistical information about the mobile devices assigned to a specific user, such as the device type, the last time the Active Sync policy was updated or when the device last connected to your infrastructure, you can use the following cmdlet:

Log Parser Studio is useful because it comes pre-packaged with a number of reports that provide key intelligence about which mobile devices are connecting, and to which users they are associated. (Figure 2.)

You can also produce some very cool graphs in Log Parser Studio, presenting a picture of your remote device real estate.

How to secure connected devices with Exchange Server

In the Exchange Management Console, navigate to Organizational Configuration -> Client Access -> Exchange ActiveSync Policies. From there, you can define policies that can be applied to all users or specific groups of users.

Within these policies, you can define password complexity; prevent the download of attachments to a device; and disable features such as the camera, Wi-Fi access or removable storage. You can also control application behavior (Figure 3).

Figure 3: Here’s a look at Exchange 2010 ActiveSync mailbox policies.

Quarantine or block particular handset types: Exchange 2010 has a feature that allows admins to either quarantine or block particular handset types. These are called Active Sync Access Rules.

These rules can apply to all devices and can be tied to a specific manufacturer or particular mobile device type. In my examples, I have applied policies to iPhones.

The quarantine feature of Access Rules may be of particular interest to organizations that want to keep control of devices that connect to their infrastructure.

The quarantine function will stop all or selected devices from initially syncing to a mailbox until they have been verified by a relevant administrator. Admins can filter on the family or the specific device type.

The administrator will get an email letting him know that he needs to allow a specific device for a user, giving the admin control over what devices connect to the infrastructure (Figure 4).

Figure 4: Here's an example of an administrative message for an ActiveSync device.

You can also use PowerShell to configure these rules using the Get-ActiveSyncDeviceAccessRulecmdlet.

Consumerization and BYOD programs will no doubt keep enterprise IT busy. With these policies and commands, Exchange administrators should be able to get a grip on security and control of email and personal devices in the workplace.

ABOUT THE EXPERT: Andy Grogan, an Exchange MVP based in the U.K., has worked in the IT industry for the last 14 years -- primarily with Microsoft, HP and IBM technologies. His main passion is Exchange Server, but he also specializes in Active Directory, SQL Server and storage solutions. Andy is currently working for a large council in West London as the Networks and Operations Manager supporting 6,000 customers on more than 240 sites. Visit Andy’s website at www.telnetport25.com/.

E-Handbook

0 comments

E-Mail

Username / Password

Password

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy